Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Australian Cyber Security Centre issues a high alert regarding a series of attacks on online code repositories, as experts suggest “secrets sprawl” a massive blind spot.
The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) released a ‘high alert: act quickly-level’ advisory on Friday (19 September) following a string of cyber attacks targeting online code repositories.
“This alert is relevant to all Australians and Australian organisations that maintain online code repositories and public software packages,” the ASD said in its 19 September advisory.
The ASD said it was aware of threat actors using several methods to gain access to these repositories, including phishing, social engineering, compromised credentials and authentication tokens, and infected software packages.
“Threat actors have been observed abusing legitimate tooling and functions to achieve these results, rather than bespoke tooling,” the ASD said.
“The risk of exposed code bases can allow actors a better understanding of internal processes and systems, increasing an organisation’s attack surface and enabling future, novel attacks.”
The ASD recommends that concerned organisations review their logs for recent package installations, validate all packages, and inform users of the danger of using unverified software packages.
The warning comes in the wake of a pair of attacks targeting popular code repositories containing popular code packages downloaded millions of times each week. In one case, even cyber security giant CrowdStrike fell victim to a tranche of npm code packages infected by a self-replicating worm known as Shai Hulud, although the company acted quickly to contain the incident.
“What’s significant here is not just attacker capability but attacker tradecraft. This wave of repository targeting blends social engineering living-off-the-land (LOTL) techniques – abusing legitimate tools and workflows so malicious activity looks like business as usual,” Dennis Baltazar, principal cloud and DevSecOps solutions at Avocado Consulting.
“Attackers don’t need bespoke malware when pipelines are already paved for them.”
The issue, according to Baltazar, is what he calls “secret sprawl”.
“The biggest blind spot we see isn’t a zero-day, it’s secrets sprawl. Keys and tokens in code or CI/CD logs turn a minor repo slip into organisation-wide compromise,” Baltazar said.
“Leaders should ask two questions today: Do we know where secrets and privileged access still live in code, pipelines and SaaS integrations – and how fast can we rotate or remove them? And do we measure dependency integrity and anomalous pipeline behaviour with the same rigour we apply to production systems?
“Good security teams rotate secrets; great teams eradicate them from code, instrument their pipelines, and catch abuse in runtime before it becomes an incident.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
